Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

Transcription

1 Pursuing Compliance with the FFIEC Guidance Risk Assessment 101 KPMG RISK ADVISORY SERVICES

2 Contents PART I An Increasing Threat: Identity Theft The FFIEC Response Risk Assessment Fundamentals The FFIEC Authentication Risk Assessment PART II Authentication Risk Assessment Framework Risk Assessment Steps The Transaction Scorecard The Transaction Scorecard: Detailed Explanation Risk Factors Likelihood Inherent Risk Control Strength Control Effectiveness Control Frequency Residual Risk Score 7 9 Disclaimers Contact Information 12 13

3 PART I An Increasing Threat: Identity Theft In 2005, the Federal Trade Commission quantified that 9.93 million persons were affected by identity theft, causing a loss to financial institutions of $46.9 billion. (Source: ftc.gov) One survey by First Data Corp. in 2005 found 43 percent of US adults had received at least one bogus purporting to be, in most cases, a financial institution. Of those, about one in or 4.5 million people -- provided the requested information, and about half of those end up being victims of theft or identity fraud. (Source: firstdata.com) The increase of pharming, phishing and identity threats raise authentication and security concerns for financial institutions. According to antiphishing.org, 89.3 percent of all phishing attacks target financial institutions. The FFIEC Response In response, the Federal Financial Institutions Examination Council (FFIEC) issued guidance in 2005 on risk management controls to authenticate the identity of customers accessing Internet-based financial services. The term authentication, within the context of the guidance, describes the process of verifying the identity of a person or entity. Valid authentication methodologies involve three basic factors : Something the user knows (e.g., password, PIN); Something the user has (e.g., ATM card, smart card); and Something the user is (e.g., biometric characteristic, such as a fingerprint). Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. The guidance was issued to give financial institutions direction in complying with provisions of the Gramm-Leach-Bliley Act and the USA PATRIOT Act, and replaces guidance issued in The FFIEC guidance specifically states, The agencies [of the FFIEC] consider single-factor authentication, as the only control mechanism, to be inadequate. Page 3

4 The guidance also states, financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internetbased financial services. The related Federal Reserve Board (FRB) Supervisory Letter (SR 05-19) states that the FRB expects financial institutions to have achieved conformance with the guidance by year-end Page 4

5 Risk Assessment Fundamentals An understanding of risk and the application of a risk assessment methodology is essential to being able to efficiently and effectively secure any computing environment. Risk is a measure of the impact of an undesirable event and the likelihood of that undesirable event happening. This general concept may be applied almost universally, for example, in reference to the risk of an earthquake occurring, the risk of taking a loss on an investment or the risk of someone hacking into a database containing sensitive information such as financial records. Risk is an acknowledgement of the fact that life is uncertain and that there are variables both within and outside our control that may affect us. So returning to our concept of impact and likelihood, managing risk involves assessing the level or risk and then managing either the impact of the risk or minimizing the likelihood of the risk occurring. Controls are those manual or automated activities that either prevent a risk from being realized, or detect and correct a situation in which an undesirable event has occurred. At the fundamental level, a control seeks to manage a process or transaction for a predictable outcome. Manual Controls are executed by an individual on a pre-defined schedule (daily, monthly, quarterly, annually etc.). The following list is a sample of manual controls which may be applicable to Internet-based authentication: Policies and procedures for user account provisioning, access and management Policies and procedures for password use, i.e. length, complexity, re-use, forced change Automated Controls are system-based controls executed on a pre-defined schedule (daily, monthly, quarterly, annually etc.). The following list is a sample of automated controls: Automatic termination of internet sessions after a period of inactivity Password encryption Hidden entry of passwords Page 5

6 The FFIEC Authentication Risk Assessment The objectives of the authentication risk assessment are to identify and evaluate risks in the financial institution s Internet product and service offerings. Once identified, the risks should be measured against the effectiveness of existing Internet authentication and layered security controls. The risk assessment calls for an evaluation of the current authentication solution and customer awareness program. Included in the scope of the assessment should be a review of current Internet authentication documentation and capabilities, as well as the technology which supports user authentication (e.g. perimeter security, anomaly detection and user account provisioning). An effective authentication program should include the appropriate authentication and layered security solution to ensure that a complete controls environment is deployed to secure all Internet banking products and services, relative to the risk inherent to each Internet transaction. A user-friendly and informative customer awareness program should also be deployed to educate clients on Internet banking risks. The FFIEC guidance is focused on high-risk transactions that include, access to customer information or the movement of funds to other parties. Access to customer information includes data types that can be used for account hijacking or identity theft, such as names, addresses and phone numbers, social security numbers, bank account numbers and account details held for bill payment purposes (credit cards and other bills paid through online banking). The movement of funds to other parties should include bill payment, wire transfers, transfers to accounts not held by the customer at that given institution, and transfers to other accounts held by the customer outside of a given institution. Thus the scope of the assessment may not be limited solely to authentication technology. Access controls, protecting data in transit and at rest, security monitoring, event logging, intrusion prevention/detection are also important security areas. Beyond systems, any approach to security must examine the people and processes around security. Page 6

7 PART II Authentication Risk Assessment Framework The authentication risk assessment evaluates the existing authentication tools and layered security approach for a financial institution s Internet banking transactions and access control to sensitive data. Establishing a logical risk assessment framework may assist financial institutions in conducting their risk assessment activities. The assessment may consider following areas: Customer Type (e.g. retail or commercial) Transaction Type Volume of Transactions Data Classification Control Effectiveness Control Frequency Identifying each customer type and transaction type assists in calculating the risk impact and likelihood of an authentication compromise. Identifying the impact and likelihood of an authentication compromise, and assigning a numerical value to impact and likelihood, allows for the calculation of an inherent risk score. Internet risk represents the exposure to risk before any risk-mitigation activities, or controls, address inherent risk. Institutions can then identify and score current security and authentication control strength addressing these inherent risks. Again, controls are those policies, procedures, technologies or activities undertaken by individuals to minimize either the impact or the likelihood of a risk occurring. Controls seek to ensure a predictable outcome by either preventing a risk that may be intentional (fraud) or unintentional (error). Controls may also be detective and corrective in nature, which is why the FFIEC risk assessment should consider technologies such as anomaly detection systems. The risk assessment should evaluate enterprise security policies, authentication processes and technologies and risk monitoring procedures when factoring the appropriateness of controls affecting Internet-based authentication. Once the types and strength of controls have been assessed and assigned a numerical value, a financial institution can calculate residual risk. Inherent Risk Control Strength = Residual Risk By analyzing the residual risk scores the financial institution can then determine if the need for stronger authentication or additional security exists. Page 7

8 Risk Assessment Steps The following table illustrates a possible series of steps to be taken in conducting an authentication risk assessment. Risk Assessment Steps Classify/Define Data Identify Data Stores Identify Data Flows/Transactions (Internet-based only) Group Data Transactions Analyze and Assign Transaction Risk Factor, Likelihood Calculate Inherent Risk Analyze Control Effectiveness and Frequency Calculate Control Strength Calculate Residual Risk The Transaction Scorecard The Transaction Risk Scorecard may be generated at the executive level and at the transaction level and may be used to capture the results of the risk assessment. Risk Factor (Impact) (1-5) Likelihood (1-5) Inherent Risk Score (RFxL) Control Strength Score (ExF) Residual Risk Score (IR-CS) Application I Transaction Group A (Initiate) Transaction Group B (Modify) Transaction Group C (Execute) Non-Transaction Specific Data Page 8

9 The Transaction Scorecard: Detailed Explanation Risk Factors The Risk Factor score may be derived from interviews, surveys, documentation and facilitated sessions to assess the impact related to the following risk types should an authentication compromise occur: Legal Financial (Maximum) Reputation Operational Information Loss Privacy (Data Sensitivity) The following is a sample risk factor table: Customer Type I (Retail) Transaction Group A (Initiate) Transaction Group B (Modify) Transaction Group C (Execute) Risk Factor (Impact) Create Account 5 Open Account 4 Change Address 4 Establish Bill Pay 2 Transfer Funds, High-Dollar 5 Transfer Funds, Non High-Dollar 3 Pay Bill 2 Transaction Groups must be adjusted to correspond to the control structure, (i.e. transactions with different controls cannot be grouped). Likelihood The Likelihood score represents the probability that the authentication mechanism utilized by the transaction will be compromised. The Likelihood score accounts for the transaction frequency based on the premise that transactions that occur more frequently are more at risk in the Internet environment or present a greater exposure when aggregated. The Likelihood score may be determined using historical data: Internet server logs, core system activity logs and business intelligence systems may prove valuable in identifying the most frequently executed transactions. Page 9

10 Information security staff should be consulted during the risk assessment to identify trends in prior security events that may increase the likelihood of authentication compromise for specific transactions groups. Inherent Risk Once the Risk Factor (Impact) and Likelihood numerical values have been assigned, the Inherent Risk score can be calculated: Risk Factor (Impact) X Likelihood = Inherent Risk Control Strength Once the inherent risk score has been calculated, the strength of the risk mitigation activities, or controls, must be assessed. The Control Strength score represents the strength of those risk-mitigation activities. The Control Strength score is calculated based on two factors, the Control Effectiveness and Control Frequency. Control Effectiveness The Control Effectiveness score is semi-judgmentally assessed based on the evidence examined by an experienced auditor. The auditor may conduct test work to assess the effectiveness of the control, or may reference prior, recently completed audit test work. The most accurate way to assess control effectiveness is to conduct test work focused on the scope of the FFIEC risk assessment, i.e. focused on authentication and sensitive data protection. Typically controls will be ranked using descriptive criteria and subsequently assigned a numerical value: Weak - The control does not effectively mitigate risk and may need to be improved. Moderate - The control effectively mitigates the risk, but exposure still remains. Strong - The control effectively mitigates the risk and minimizes exposure. The specific criteria used to determine a weak, moderate or strong control must be determined by the financial institution s management structure. Page 10

11 Control Frequency The Control Frequency is again semi-judgmentally assigned and may be calculated based on the following criteria: Is the control automated, i.e. is this a system-based control that operates automatically? Is the control manual? If the control is manual, does testing indicate the control executes effectively each time? Is the execution of the control dependant on a triggering event? The Control Strength score is calculated by multiplying the control effectiveness with its frequency: Control Strength = Control Effectiveness x Control Frequency Residual Risk Score Once the Inherent Risk score and Control Strength score have been calculated, the Residual Risk score is obtained using the following equation: Inherent Risk Control Strength = Residual Risk By analyzing the residual risk scores the financial institution can then determine if the need for stronger authentication or additional security exists. Per the FFIEC guidance, The authentication techniques employed by the financial institution should be appropriate to the risks associate with those [Internet-based] products and services. and, Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. Page 11

12 Disclaimers Under no circumstances does KPMG warrant that the information, methodology, framework or any material herein presented constitutes an implied or explicit compliance guarantee with the guidance or regulations of any governing or regulatory authority, body or agency. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, the U.S. member firm of KPMG International, a Swiss cooperative. All rights reserved. Page 12

13 Contact Information For more information on the material presented herein, please contact either of the following: John Seddon Managing Director KPMG, LLP John Moore Senior Manager KPMG, LLP Page 13